Rebuttal on the Worlds “Best” Password Advice

It’s not every day I come across something so wrong about password managers that it moves me to write a response.

Michael Horowitz writes the article in question, you can read it here

The main point of the article is that password managers are bad, and using formula based passwords are good. I’ve already done a post on why formula based passwords systems are not as clever as you think, but this deserves its own response.

First off, I mean no disrespect to Michael Horowitz, I much appreciate that he was able to list reasons why not to use a password manager, but the advice he’s giving can leave a person worse off if they just had used a password manager.

The Same Old Song And Dance

What Michael recommends doing is the same old advice that many people give out when it comes to these formula based passwords.

You pick a phrase that you always use along with something that relates to the website.

The example phrase or constant as he puts it would be “BabeRuth.” For the thing that relates or the variable will be whatever reminds you of that website.

For Amazon, you would use “BabeRuthAmazon” or in one of his examples “BabeRuthJungle” because the jungle reminds you of the Amazon.

There are several things wrong with this approach.

1. When (not if) one of your passwords is breached, it’s not hard to figure out your other passwords. It would not be hard to figure that your PayPal password is “BabeRuthPayPal” or your Barnes & Noble password is “BabeRuthBook.”
2. A few websites have strict password rules. Not all of them accept special characters, and some do a max of 12 characters like Walmart, “BabeRuthWalmart” will not work. Also, what do you do if the website requires or does not require a special/number? How do you remember what site needs the special or number as most don’t remind you of the password rules when you sign in to an account?
3. Not only do you need to remember the password rules for every website, but to be the most effective, you need very unique variables. Using the websites name or its initials will make it easy to guess all your other passwords in a plain text breach. You’ll need to make all the variables unique, but the average person will have over 200 online accounts by 2020. Even if you had only 50 passwords how is one to remember all these variables – it’s almost like they need a secure app that allows them to manage and password protect this information.
4. A lot of people will share the same constants and phrases. A lot of people like BabeRuth and a lot of them shop at Amazon too. This is a problem with people; we’re very predictable.

I want to dive into Number 4 a little more. We can use https://haveibeenpwned.com/Passwords to see what passwords have been in KNOWN breaches.

“BabeRuth” has been found 44 times!

“baberuth”, the non-capitalized version has been found 4,102 times.

With formula based passwords we run into the problem of people picking the same words as others thus making brute force attacks a lot easier. People share a lot of things in common, and their passwords should not be one of them.

Just because you’re adding the websites name to the end of the password doesn’t make it more secure or unique.

I bet the 31 people who thought “passwordfacebook” was a great password.

Or the 24 who thought they were clever and only did the initials “passwordfb”.

Ah! I hear some of you; you would not be so dumb to use “password” or any person’s name.

Well… I bet the people who used “pinkamazon” (10) and “pinkadobe” (3) were thinking they were clever too.

Why You Should Use A Password Manager

Now it’s time for me to answer all the issues he has about using a password manager.

1. “There is a learning curve with all software. Techies underestimate how much of a pain this can be for non-techies.”

This one I agree on, but his solution is where I defer from. If a user can use a web browser, then using a password manager is not any harder. If anything, it makes your life easier with autofill.

Just because there is a slight learning curve doesn’t mean we should not go after better security. This is like complaining that you have to use a PIN with your ATM card while at the bank. Getting hacked is far more painful then a password manager will ever be.

For the 1% who refuses to use a password manager, I have them generate passwords from https://www.dinopass.com/ and write them down. This way, they have completely unique passwords for every account that are easy to type in. They understand paper and pen, and they don’t need to use their brains to come up with some complex formula that they’ll forget anyway.

2. “No software runs on every Operating System or supports every web browser, so you are limited where you can use any one particular password manager.”

It’s in the password manager companies best interest to have their software work on the most popular Operating Systems and Browsers.

Who’s not running either Windows, Mac, iOS, Android, Chrome, Safari, Firefox, or even Opera? The vast majority of password managers work for those OS’s and Browsers with many of them also offering online access – if you can access a webpage you can access your passwords.

3. “The most secure Operating System most people have access to is a Chromebook running in Guest Mode. A formula works there, a password manager does not”

A Chromebook being the most secure OS is debatable, especially since it’s just the Chrome Webbrowser.

To answer your question, Chrome is the most popular browser, and every password manager supports it. Like I’ve said before, many of the password managers have a web interface so if you can go to a webpage you can get your passwords.

4. “All software has bugs, password managers included. Not only might you be vulnerable to a bug, but you certainly are on the hook for keeping the password manager software up to date. That alone rules out password managers for some people. A formula will never have a bug and never require an update.”

Do you know what has more bugs? A system you derive without anyone checking it out. I bet the author never realized the bug in his password system could reveal all the other passwords he uses. Or how people are more likely to pick an easy to crack/guess constant.

The great thing about a password manager is that many of them are open source. That means many eyes are looking at the code for bugs. The ones that are not open source still use code that has been proven for decades called AES encryption. If a password manager company wants to stick around, it’s in their best interest to not screw this up. They will always go for the tried and tested.

I have to make a note as he’s given us a link to a password manager that had a bug. So I’ll provide a link too.

[link]

It was from HP, and it was a keylogger which could easily steal all the manually typed in passwords, the kind of password that Michael tells us to use. If you had a password manager this HP bug would not have been a big deal as password manager autofill without using the keyboard.

5. “With a password manager, you have to trust that it works correctly. The software is a black box to most people. With a formula, you do not need to trust anyone or anything.”

I agree that it’s all about trust, but with a formula, you have to trust that no one else uses your words and that the websites you use don’t leak that password that is very similar to all your other passwords.

I don’t know about you, but I have a hard time trusting other people and 200 websites I have no control over on how they store my passwords. These websites are like black boxes; you don’t know what they’re doing with your passwords. They could be selling it since it’s a unique way to identify a person across the internet, especially if every password has “BabeRuth” in it. They could even be careless like Facebook recording people’s passwords in plaintext to log files.

All it takes is one employee to see that you use “BabeRuthFacebook” so that must mean you used “BabeRuthPayPal” for your PayPal account. Imagine all the other websites making the same mistakes and not even reporting it.

I do trust myself with my encrypted password vault full of unique passwords for every account that I can put wherever I want with a master password that I only know.

6. “A formula lets you write down the variable part of the password – safely. That is if you write down that your Amazon password is “jungle” and someone sees this, it’s only half the actual password. No one is hacking a password written down on paper. You can put all your passwords in a book, and if the book is stolen, you are still protected, as long as the fixed part of each password was not written down in the book.”

Great minds think alike!

I do the same thing in my password managers; I call it peppering your passwords.

Generate a random password with your password manager and add a word only you would know to the end of it. When you save the password in your password manager leave out the pepper. When it’s time to log into that site have the password manager fil in what it has and then add your pepper.

If you pepper your most important passwords, I find there is no reason not to trust a password manager. Even if someone gets your vault of passwords, they still don’t have the real passwords.

The great thing about peppering is that you don’t need to write it in a book that can be lost or stolen. It’s just one word, and the real power is in the random password your password manager generated. You could even hide the pepper in plain sight located in a secure note for the secret family recipe. So many possibilities!

7. “When a password manager generates passwords for you, it may create a password that is too long for the target system, or, that contains characters the target system does not allow. It is much easier to deal with this sort of thing when using a formula.”

You got this one backwards.

If you generate a password the site doesn’t like you just press a button to change it. Many password managers know this and will default to 12 characters long and no symbols as this is what 98% of all websites want. Some like Apple’s Safari password manager have a huge list of all the most popular websites and their password requirements and know what to generate beforehand.

If you’re using a formula of “BabeRuthWalmart”, it won’t work for Walmart as they have a max of 12 characters. So what do you do? You’ll have to change how you do your formulas, and so you don’t forget it you’ll have to write it down. This adds more complexity and things for you to remember. What do you do if you don’t have or lose your book to remember all the nuances of this particular website?

Not only that, having to manually type in each character of your password until it accepts one is far more annoying then pressing a single button on a password manager.

8. “Some websites do not allow passwords to be pasted into the login form. That’s a problem for password manager software, not for a formula.”

Good thing most password managers don’t paste passwords but instead fill passwords. Pasting is a security issue; any app can spy on the clipboard and steal data. Password managers directly fill from the browser plugin avoiding paste.

9. “A formula is free, some password managers are also free, but some are not.”

You already answered it for me. You can use free password managers, and many of them are good like Bitwarden.

For when it comes to paying, can you name a service that is more important than the one securing your most important passwords?

You’re not paying for an app, your paying for the security and protection that a team of people who’s entire job is passwords and how to keep them safe.

With a formula, you’re getting what you paid for – the guy who’s in charge of it is the same guy who forgets why he walked into that room or where he left his keys.

10. “The security of web browser extensions.”

The argument is that password manager browser extensions can read and change anything on the webpage. They need to be able to do this so they can fill your passwords and avoid the clipboard vulnerability I’ve discussed before.

For someone to make this argument is someone who doesn’t fully understand the security of extensions. It’s insulting to think that password manager companies are not taking steps to protect you and your data. There are levels of encryption and sandboxing in place so that no one but you can see your password data. They have guys who sit in rooms looking for ways to exploit their own extensions. Bounties are given to anyone who can find a way in that there team of guys missed.

As I say, you’re not paying for a PW app but instead buying a team whose job is to keep your data safe.

If you’re that super worried, you can get a password manager that doesn’t need a browser extension and uses auto-type instead.

Or pepper your most important passwords as I’ve pointed out before.

11. “When using someone else’s computer, the password manager software is not available.”

First, don’t use a computer you don’t trust. It doesn’t matter if you use a password manager or a formula.

If you need to use a computer that doesn’t have your password manager on it, there are several options.

The first, just use your phone. Every password manager has an option for a mobile app for both iOS and Android. Open the app and type in the password. If this is something you often have to do you can make the password simple, uniqueness is more important than complexity for online accounts.

The other option is to log in to your vault from the online portal. LastPass, Bitwarden, and 1Password just to name a few allow you to access your vault from any web browser. All the data is done locally in the browser’s cache and is decrypted and encrypted there too. You can copy and paste the password wherever you want.

How often are you away from your computer or phone that you need to log in right away? Why do you need to use a friends computer? Why not use your phone’s web browser to log in with the PW App? Many of the password manager mobile apps have a built-in secure Browser that makes this seamless.

What is so important that you can’t do it from your phone or wait till you get home?

The real kicker for me is if you do use a formula and take it very seriously you’ll have to store the password requirements and the other variables somewhere. If you don’t have that on you, are you not just as screwed?

Would you rather carry around an unprotected notebook of your passwords or a password manager on your phone that can autofill the passwords on your phone’s browser?

It seems the people who make this argument haven’t heard they make password manager apps for phones or have web interfaces or they’re only looking for a problem they don’t have.

12. “What if you want to switch away from a password manager you are currently using?”

Every password manager has an export button that allows you to move to another password manager. They all have instructions on how to import from another password manager.

If you want to switch away, it’s the same song and dance. You export to a CSV file which can be open by any spreadsheet program. With the spreadsheet, you can do whatever you want with the information.

You’re not locked into the password manager if that is what you’re hinting at.

Just to prove this here is links to the top password managers showing you how to export your data.

• https://support.1password.com/export/
• https://help.bitwarden.com/article/export-your-data/
• https://support.dashlane.com/hc/en-us/articles/202625092-How-to-export-or-back-up-your-Dashlane-account
• https://help.roboform.com/hc/en-us/articles/230425008-How-to-export-your-RoboForm-logins-into-a-CSV-file

13. “All your eggs in one basket? Really? There is a reason this phrase is popular.”

You act like this is a bad thing. [link]

Who do you trust more, 200 websites you don’t control storing your similar passwords or one single database with all unique passwords that you do control?

1. BabeRuthAmazon
2. BabeRuthFacebook
3. BabeRuthPayPal
4. BabeRuthTwitter
   .
   .
   .

200. BabeRuthOutlook

All it takes is ONE website to get breached to know all your passwords. Even if you did use something more complex, they still know the first half of all your passwords. The more of those websites that get breached, the easier it is to figure out your formula. The more websites storing your passwords the more likely you’re to have passwords leaked.

If you had used a password manager…

1. CyL8BjH3fyn8JNDR5Bd
2. oyster-uncanny-crispy-irritate
3. xk9q*BPu49,FKv7p
4. oddgeese26
   .
   .
   .

200. Z,k;e,4mkVUn#mzNRtHNRBkWP#qwp:AAWY9SStHY,FA

One account getting breached won’t lead to the others. The passwords share nothing alike and you have the ultimate control on where you get to keep that encrypted database.

If you think about it, using a password manager and letting it generate all unique passwords seems to be the most reasonable approach.

More Reasons To Use A Password Manager

1. You can store more than passwords. Family recipes, instructions on how to fix the printer, PIN to Safe, Drivers license, Insurance card, a Credit card for easy checkouts (don’t have to store the credit card on a website you don’t trust), Serial numbers, Software Licences, etc. The sky is the limit!
2. Can share passwords securely, something a formula can’t do.
3. Can limit and share passwords to employees in your business.
4. Helps stop phishing attacks, something a formula can’t do.
5. Takes away the stress of thinking about passwords.
6. Can be used if you die or can’t physically use a computer. It’s hard to explain your formula if you’re dead. It goes beyond paying bills, it’s about the little things like the pictures in your Google Photos account or the little notes locked in your phone.
7. No fat finger typing.
8. No wondering if you type the password correctly and then backspacing the whole thing and starting again.
9. No worry about someone or a camera watching you as you type your Facebook password in. Many password managers can open with just your fingerprint or your face, no need to enter any passwords in public.
10. A flash drive or cloud back up is more likely to survive a natural disaster than the piece of paper with parts of your formula on it.

The Biggest Reason To Use A Password Manager

The biggest reason to use a password manager is to stop password reuse.

Password reuse is the biggest threat you’re facing online.

Websites get breached and passwords stolen on the regular, and it’s only going to get worse.

Telling people to use a formula that reuses parts of your password is not solving the problem, if anything it’s making it worse. Using “BabeRuth” at the start of every password is not unique!

Using completely unique passwords for every account is the best thing you can do, and a password manager makes this easy.